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Abstract. A logic is presented for reasoning on iterated sequences of 
formulae over some given base language. The considered sequences, or 
schemata, are denned inductively, on some algebraic structure (for in- 
stance the natural numbers, the lists, the trees etc.). A proof procedure 
is proposed to relate the satisfiability problem for schemata to that of 
finite disjunctions of base formulae. It is shown that this procedure is 
sound, complete and terminating, hence the basic computational pro- 
perties of the base language can be carried over to schemata. 

1 Introduction 

We introduce a logic for reasoning on iterated schemata of formulae. The 
schemata we consider are infinite sequences of formulae over a given base lan- 
guage, and these sequences are denned by induction on some algebraic structure 
(e.g. the natural numbers). As an example, consider the following sequence of 
propositional formulae <p n , parameterized by a natural number n: 

<Po ->■ T <j) n+ i -> 4> n A (p(n) <^p(n + 1)). 

It is clear that the formula <fi n A p(0) A ^p{n) is unsatisfiable, for every n £ N. 
This can be easily checked by any SAT-solver, for every fixed value of n. Here 
the base language is propositional logic and the sequence is defined over the 
natural numbers. However, proving that it is is unsatisfiable for every n £ N is 
a much harder task which obviously requires the use of mathematical induction. 
Similarly, consider the sequence: 

tpnit ->■ T ipcons(x, y ) ->• ip y A (3up(y,u)) O (3vp(cons(x, y),v)) 

Then tpi Ap(nil, a) A Vw ~<p{l, u) is unsatisfiable, for every (finite) list I. Here the 
base language is first-order logic and the sequence is defined over the set of lists. 
Such inductively defined sequences are ubiquitous in mathematics and computer 
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science. They are often introduced to analyze the complexity of proof procedures. 
From a more practical point of view, schemata of propositional formulae are used 
to model properties of circuits parameterized by natural numbers, which can rep- 
resent, e.g., the number of bits, number of layers etc. (see for instance [TJ], where 
a language is introduced to denote inductively defined boolean functions which 
can be used to model such parameterized circuits). In mathematics, schemata 
of first-order formulae can model inductive proofs, which can be seen as infinite 
(unbounded) sequences of first-order formulae (see [5] for an example of the use 
of this technique in proof analysis) . 

We now provide a slightly more complex example. The following schema ipt 
encodes a multiplexer, inductively defined as follows. The base case is denoted 
by Base(x), where x denotes an arbitrary signal. In this case, the output of the 
circuit is simply the output of x, denoted by signal(x). The inductive case is 
denoted by Ind{i, x,y), where i is a select input and x and y are two smaller 
instances of the multiplexer. Its output is either the output of x or that of y, 
depending on the value of i. 

^Base(x) out(Base(x)) signal{x) 
ipind(i,x, y ) -> {->signal(i) V (out(Ind(x, y)) <^> out{x))) 
A (signal(i) V (out(Ind(x,y)) out(y))) 

A ip x A ij> v 

Note that this kind of circuit cannot be encoded in the language of (reg- 
ular) propositional schemata defined in |2|3j . because the number of inputs is 
exponential in the depth of the circuit. Hence, the use of non-monadic function 
symbols is mandatory. 

In this paper, we devise a proof procedure to check the satisfiability of these 
sequences. More precisely, we introduce a formal language for modeling sequences 
of formulas defined over an arbitrary base language (encoded as first-order for- 
mulae interpreted in some particular theory) and we show that the computational 
properties of the base logic carry over to these schemata: If the satisfiability 
problem is decidable (resp. semi-decidable) for the base language then it is also 
decidable (resp. semi-decidable) for the corresponding schemata. For instance, 
the satisfiability problem is decidable for schemata of propositional formulae and 
semi-decidable for schemata of first-order formulae. The basic principle of our 
proof procedure consists in relating the satisfiability of any iterated schemata of 
formulae to that of a finite disjunction of base formulas. The complexity of the 
satisfiability problem, however, is not preserved in general, since the number of 
formulae in the disjunction may be exponential. 

This work generalizes previous results |2l3j in two directions: first the base 
language is no longer restricted to propositional logi(£] and second the sequences 
are defined over arbitrary algebraic structures, and not only over the natural 
numbers. Abstracting from the base language leads to an obvious gain in appli- 
cability since our approach now applies to any logic, provided a proof procedure 

1 A first extension to some decidable theories such as Presburger arithmetic was con- 
sidered in [4]. 



exists for testing the satisfiability of base formulae. Besides, it has the advantage 
that the reasoning on schemata is now clearly separated from the reasoning on 
formulae in the base language, which may be postponed. This should make our 
approach much more scalable, since any existing system could now be used as a 
"black box" to handle the basic part of the reasoning (whereas the two aspects 
were closely interleaved in our first approach, yielding additional computational 
costs). Both extensions significantly increase the scope of our approach. 

The extension to arbitrary structures turns out to be the most difficult from 
a theoretical point of view, mainly because, as we shall see, the number of pa- 
rameters can increase during the decomposition phase, yielding an increase of 
the number of related non-decomposable formulae in each branch, which can in 
principle prevent termination. In contrast to what happens in the simpler case 
of propositional schemata , these formulae cannot in general be deleted by the 
purity principle, since they are not independent from the other formulae in the 
branch. To overcome this problem, we devise a specific instantiation strategy 
based on a careful analysis of the depth of terms represented by the parameters, 
and we define a new loop detection mechanism. This blocking rule is more gen- 
eral and more complex than the one in [5] . We show that it is general enough - 
together with the proposed instantiation strategy - to ensure termination. Ter- 
mination is however much more difficult to prove than for propositional schemata 
defined over natural numbers. 

The types of structures that can be handled are quite general: they are defined 
by sets of - possibly non-free - constructors on a sorted signature. The terms 
can possibly contain elements of a non-inductive sort. For instance, a list may 
defined inductively on an arbitrary set of elements. 

Related Work 

There exist many logics and frameworks in which the previous schemata can be 
encoded, for instance higher-order logic [7]), first-order ^-calculus [17] . or logics 
with inductive definitions [T| that are widely used in proof assistants [18] . How- 
ever, the satisfiability problem is not even semi-decidable for these logics (due 
to Godel's famous result). Very little published research seems to be focused 
on the identification of complete subclasses and iterated schemata definitely do 
not lie in these classes and cannot be reduced to them either. Our approach 
ensures that the basic computational properties of the base language (decidabil- 
ity or semi-decidability) are preserved, at the cost of additional restrictions on 
the syntax of the schemata under consideration. Furthermore, the modeling of 
schemata in higher-order languages, although possible from a theoretical point 
of view, is cumbersome and not very natural in practice. 

There exist several approaches in inductive theorem proving, ranging from 
explicit induction approaches (see for instance |11| or [5]) used mainly by proof 
assistants to implicit induction schemes used in rewrite-based theorem provers 
[8 9], or even to inductionless induction [15112] , where inductive validity is re- 
duced to a mere satisfiability check. Such approaches can in principle handle 



some of the formulae we consider in the present work, provided the base lan- 
guage can be axiomatized. Existing approaches are usually only complete for 
refutation, in the sense that false conjectures can be disproved, but that induc- 
tive theorems cannot always be recognized (this is theoretically unavoidable). 
Once again, very few termination results exist for such provers and our language 
does not fall in the scope of the known complete classes (see for instance |13]). 
In general, inductive theorem proving requires strong human guidance, espe- 
cially for specifying the needed inductive lemmata. In contrast, our procedure is 
purely automatic. Of course, this comes at the expense of strongly reducing the 
form of the inductive axioms. Furthermore, although very restricted to ensure 
termination and/or completeness, our language allows for more general queries, 
possibly containing nested quantifiers, which are in general out of the scope of 
existing automated inductive theorem provers. Indeed, most existing approaches 
aim at establishing the inductive validity of universal queries w.r.t. a first-order 
axiomatization (usually a set of clauses). In contrast, our method can handle 
more general goals of the form \fx </>, where a; is a vector of variables interpreted 
over the considered algebraic structure and 4> is a formula containing arbitrary 
quantifiers in the base language. 

Practical attempts to use existing inductive theorem provers (such as ACL 
|10j ) to check the satisfiability of schemata such as those in the Introduction fail 
for every formula except the most trivial ones. We believe that this is not due 
to a lack of efficiency, but rather to the fact that additional inductive lemmata 
are required, which cannot be generated automatically by the systems. In some 
sense, our method (and especially the loop detection rule) can be viewed as an 
automatic way to generate such lemmata. Our method is also more modular: 
we make a clear distinction between the reasoning over the base logic and the 
one over inductive definitions. Inference rules are devised for the latter and an 
external prover is used to establish the validity of formulae in the base language. 

Since parameterized schemata can obviously be seen as monadic predicates, 
a seemingly natural idea would be to encode them in monadic second-order logic 
and use an automata-based approach (see, e.g., |16| ) to solve the satisfiability 
problem. However, as we shall see in Section |3l the unfolding of the inductive 
definitions contained in a given formula may well increase the number of param- 
eters occurring in it. Since these parameters may share subterms, the formulae 
containing them are not independent hence they must be handled simultane- 
ously, in the same branch. Thus a systematic decomposition into monadic atoms 
(in the style of automata-based approaches) is not feasible. 

All proofs can be found in the Appendix. 

2 A Logic for Iterated Schemata 

The schemata we consider in this paper are encoded as first-order formulae, to- 
gether with a set of rewrite rules specifying the interpretation of certain monadic 
predicate symbols. Our language is not a subclass of first-order logic: indeed, 
some sort symbols will be interpreted on an inductively defined domain (e.g. 



on the natural numbers). Furthermore, the formulas can be interpreted modulo 
some particular theory, specified by a class of interpretations. 

We first briefly review usual notions and notations. We consider first-order 
terms and formulas defined on a sorted signature. Let S be a set of sort symbols. 
Let S be a set of junction symbols, together with a function profile mapping 
every symbol in S to a unique non-empty sequence of elements of S. We write 
/ : Si x • • • x s n — y s if profile(f) = si,...,s n ,s with n > 0, and a : s if 
profile(a) = s (in this case a is a constant symbol). A symbol is of sort s and of 
arity n if its profile is of the form si, . . . , s n , s (possibly with n = 0). The set of 
function symbols of sort s is denoted by S s . Let (V s ) s es be a family of pairwise 
disjoint set of variables of sort s, and V = Uses ^" s - We denote by T s the sets of 
terms of sort s built as usual on S and V. A term not containing any variable 
is ground. 

Definition 1. LetX be a subset of S. The elements of I are called the inductive 
sorts. An X-term is a term of a sort s el. 

Let C C S be a set of constructors, such that the sort of every symbol in C 
is in Usei an d suc h that every non-constant symbol of a sort in Usex^s * s 
in C A parameter is a constant symbol of a sort occurring in the profile of a 
constructor (parameters are denoted by upper-case letters). A term containing 
only function symbols in C and variables of sorts in S\I is a constructor term. 

Constructors of a sort s G T are meant to define the domain of s , see Defini- 
tion [5] The constant symbols that are not constructors can be seen as existential 
variables denoting arbitrary elements of a sort in X (notice however that C pos- 
sibly contains constant symbols). We assume that I contains a sort symbol nat, 
with two constructors : nat and succ : nat — > nat. 

Example 1 . Assume that we intend to reason on lists of elements of an arbitrary sort 
s. Then S contains the sort symbols s and list, where T = {list}. The constructors 
are nil : list and cons : s x list — > list. The set of parameters contains constant 
symbols of sorts s or list (denoting respectively elements and lists). If A\,A-z are 
parameters of sort s, then cons(Ai, cons(A2, nil)) is a term of sort list. 

Similarly, if one wants to reason on lists of natural numbers, then one should take 
I = S — {nat, list}. In this case, C = {nil : list, cons : nat x list — > list, : 
nat, succ : nat — )■ nat}. 

Let (T> S ) S £Z be a family of disjoint sets of defined symbols of sort s, disjoint 
from E, and D = IJ s(E x T> s . An atom is either an equation of the form t ~ s, 
where t, s are terms of the same sort, or a defined atom, of the form dt, where 
d G P s , for some s £ I, and t e T s . The arguments of the symbols in V 
are written as indices in order to distinguish them from predicate symbols that 
may occur in U (such predicate symbols may be encoded as functions of profile 
s — > bool). Formulae are built as usual on this set of atoms using the connectives 
V, A, -i, V, 3. We assume for simplicity that all formulae are in Negation Normal 
Form (NNF). A variable x is free in <f> if it occurs in 0, but not in the scope of 
the quantifier Vx or 3x. If </> has no free variables then is closed. 



An interpretation I maps every sort s to a set of elements s 7 , every variable 
x of sort s to an element x 1 G s 7 , every function symbol / : Si X • • • X s n — > s 
to a function f 1 from si 7 x • • • x s n 7 to s 7 and every defined symbol d G D s to 
a subset of s 7 . The set Uses s/ * s ^ ne domain of /. As usual, any interpretation 
I can be extended to a function mapping every term t of sort s to an element 
[t] 1 G s 7 and every formula <f> to a truth value [(f)] 1 G {true, false}. We write 
I \= 4> (and we say that / validates (f>) if [Va; tp] 1 = true, where x is the vector of 
free variables in <j>. We assume, w.l.o.g., that the sets s 7 (for s G S) are disjoint. 
Sets of formulas are interpreted as conjunctions. If <f> an d ip are two formulas or 
sets of formulas, we write <fi =/ i/j if either I \= <f> and / |= ip or / \/= <\> and I \£ tp. 
We write (f> = ip if =/ 4> for all interpretations /. 

We introduce two transformations operating on interpretations. The first one 
is simple: it only affects the value of some variables or constant symbols. If / is 
an interpretation, x\, . . . ,x n are distinct variables or constant symbols of sort 
si, . . . , s n respectively and Vi, . . . , v n are elements of si 7 , . . . , s n 7 , then we denote 
by I[vi/x±, . . . , v n /x n ] the interpretation coinciding with /, except that for every 
i = 1,. . .,n, we have: Xi I l v i/ x i^---' v n/x n ] 4fL' v ^ 

The second transformation is slightly more complex. The idea is to change 
the values of the elements of an inductive sort, without affecting the remaining 
part of the interpretation. An X-mapping for an interpretation / is a function A 
mapping every element e in the domain of / to an element of the same sort, that 
is the identity on every element occurring in a set s 7 , where s ^1 Then X(I) 
is the interpretation coinciding with /, except that for every symbol / of a sort 
s £1, we have: / A < 7 ) (e x , . . . , e„) = / 7 (A( ei ), . . . , A(e„)). 

In the following, we assume that all interpretations belong to a specific class 
3. This is useful to fix the semantics of some of the symbols, for instance one may 
assume that the interpretation of a sort int is not arbitrary but rather equal to Z. 
Of course, 3 is not arbitrary: the following definitions specify all the conditions 
that must be satisfied by the considered class of interpretations. We start by 
the interpretation of the defined symbols. As explained in the Introduction, the 
value of these symbols are to be specified by convergent systems of rewriting 
rules, satisfying some additional conditions defined as follows: 

Definition 2. Let < be an ordering on defined symbols. Let be an orthogonal 
system of rules of the form dff Xl ,...,x n ) ~^ 4 1 ) where d is a defined symbol in s, 
/ is of profile Si X • ■ • X s n — > s, and Xi, . . ■ , x n are distinct variables of sorts 
Si, . . . , s n . We assume that <fi and 9^ satisfy the following conditions: 

1. The free variables of <f> occur in x±, . . . , x n . 

2. All X-terms occurring in (f) belong to the set {x±, . . . , x n , f(xi, . . . , x n )}- 

3. If (f> contains a formula d' t then either d' < d and t = f(xi, . . . ,x n ), or 
t G {xi, . . .,x n }. 

4- For every constructor f , 91 contains a rule of the form dfr Xlt ,„ tX \ — > <f>. 

It is clear from the conditions of Definition[2]that £R is convergent (the condi- 
tion on the ordering ensures termination, and orthogonality ensures confluence). 
We denote by dtim the normal form of dt w.r.t. *H. The following condition states 



that the interpretation of defined symbols must correspond to the one specified 
by the rewrite system for every interpretation in 3. 

Definition 3. An interpretation is IH-compatible iff for all sort symbols s G X, 
for all defined symbols d G V s , for all function symbols f : s± x • • • x s n — > s, we 
have df( Xlr ,, >Xn ) =/ d/( X i,...,s„)4-!K- 

The second condition that is required ensures that any equation between two 
constructor terms can be reduced to equations between variables: 

Definition 4. An interpretation is ^-decomposable iff the following conditions 
hold: 

1. For every s G X and for every f,g G ^ s of arity n and m respectively, 
there exists a formula A^' 9 ^ built on V, A, ~ and on n + m distinct variables 
xx,. . .,x n ,yi, ...,y m such that /(xi, . ..,x n ) ~ g(y lt . . . ,y m ) =i 

2. For every i G [l,n] we have A^ ^ \= \/™=i x i — Vk, and for every j G [l,J7i], 
we have A^' 9 ^ |= Vfe=i Vj — x k- 

If t = f(ti, . . . ,t n ) and s = g(si,...,s m ) are two non-variable X-terms, we 
denote by A(t ~ s) the formula obtained from A^ ,9 > by replacing each variable 
Xi (1 < i < n) by ti and each variable yj (1 < j < m) by Sj. 

Example 2. If, for instance, elements of a sort s G X are interpreted as terms built 
on a set of free constructors, then we have A^' 9 ^ ~ _L if / 7^ g and A^'^ = xi ~ 
yi A • • • A x n — y n (where n denotes the arity of /). Indeed, in this case, we have 
f(xi, ...,x n ) - f(yi, ■ ■ ■ ,Vn) = (xi ~ yi A • • • A x n ^ Vn)- If, on the other hand, g 
is intended to denote a commutative binary function then we should have: A^- 3 ' 9 ^ = 
(xi ~i/iAi2 ~ 2/2) V (xi ~ 2/2 A12 — J/i) • The variables Xi and yj are those introduced 
in Definition Ul 

The third condition ensures that the interpretation of every inductive sort is 
minimal (w.r.t. to set inclusion). 

Definition 5. An interpretation is I-inductive iff for every s G S, and for every 
element u G s 7 , there exists a constructor term t such that u = [t] 1 . 

Notice that, by definition, a constructor term contains no variable of a sort 
in X. For instance, every element in nat 7 should be equal to a ground term 
succ fc (0), for some k G N. If list denotes the sort of the lists built on elements 
of a sort s I, then any element of list 1 must be equal to a term of the 
form cons(xi,cons(x2, ■ ■ ■ , cons(x n ,nil) . . .)), where variables of 

sort s. This condition implies in particular that for every s ^ X and for every 
element v G s 1 , there exists a variable x such that x 1 = v (this is obviously not 
restrictive, since the variables may be interpreted arbitrarily). 

The next definition summarizes all the conditions that are imposed: 

Definition 6. A class of interpretations 3 is schematizable iff all interpreta- 
tions I G 3 satisfy the following properties: 



1. I is fH- compatible. 

2. I is ^-decomposable. 

3. I is X-inductive. 

4- For all variables v of a sort s and for all elements e G s 1 , I[e/v] E 3. 

5. For all X-mappings \, X(I) E 3. 

A formula <p is 3-satisfiable iff (j) ^ as a model in J. 

From now on we focus on testing 3-satisfiability for a schematizable class of 
interpretations. Before that we impose some restrictions on the formulas to be 
tested. As we shall see, these conditions will be useful mainly to ensure that the 
proof procedure presented in Section [3] only generates a finite number of distinct 
formula?, up to a renaming of the parameters. This property is essential for the 
proof of termination, although it is not a sufficient condition. 

Definition 7. A class of formula? $ * s admissible if all formula? <fi E $ satisfy 
the following properties: 

1. For all parameters A, B, <fi[B/A] E 

2. </> contains no constructor and no variable of a sort in X. 

3. For every subformula ip of <f>, if tp is not a disjunction, a conjunction, or 
a defined atom, then tp contains no defined symbol and no pairs of distinct 
parameters. 

4- For every defined symbol d occurring in (j) and for every rule d t — > <j) in ?R, the 
formula obtained from <f> by replacing each X-term by an arbitrary parameter 
is in 

A formula occurring in $ is a schema. It is a base formula iff it contains no 
defined symbol, and no equation between parameters. 

The conditions in Definition [7] ensure that the formulas in J are boolean 
combinations (built on V,A) of base formulae containing at most one parameter, 
of defined atoms and of equations and disequations between parameters. The 
definition of base formulae in Definition [7] ensures that the truth values of base 
formulae do not depend on the interpretation of the parameters, but only on the 
relation between them. Base formulae can contain parameters, but they can only 
occur as arguments of function symbols, whose images must be of a non-inductive 
sort. The only way of specifying properties of the parameters themselves (and 
not of the terms built on them) is by using the rewrite rules in V\. As we shall 
see, this property is essential for proving the soundness of the loop detection rule 
that ensures termination of our proof procedure. Similarly, no quantification over 
variables of an inductive sort is allowed. 

In the following, 3 denotes a schematizable class of interpretations and 5 
denotes an admissible class of formulae. The goal of the paper is to prove that if 
3-satisfiability is decidable (resp. semi-decidable) for base formulae in 5 then it 
must be so for all formulae in We give examples of classes of formulae satisfying 
the previous conditions: 



Example 3. Assume that £ only contains 0, succ and symbols of profile nat — > bool. 
Let 3o be the class of all SH-compatible interpretations on this language with the usual 
interpretation of nat, and succ, and let Jo be the set of all quantifier-free formulae 
containing no occurrence of and succ. Clearly, 3o is schematizable and Jo is admissible. 
The formula? in Jo denote schemata of propositional formulae. For instance the schema 
po A-ipjv A hicZ^(->PK Vp succ (ff)) is specified by the formulae: p(Q) A^p(N) Adjv, where 
d is defined by the rules do — > T and d succ (x) — > dx A (-ip(K) V p(succ(K))). Jo is 
equivalent to the class of regular schemata in [3]. 

Example 4- Let S = {nat, int} and X = {nat}. Assume that £ contains the symbols 
and succ, constant symbols of sort int, function symbols of profile nat — > int and 
all the symbols of Presburger arithmetic. Let 3z be the class of all IR-compatible in- 
terpretations such that the interpretations of nat, int, 0, succ, +,<,... are the usual 
ones. Let Jz be the set of all formulae built on this language, containing no occur- 
rence of 0, succ, and satisfying Condition in Definition [7] It can be easily checked 
that 3z is schematizable and that Jz is admissible. Formulae in Jz denote schemata of 
Presburger formulae (the base formulae in Jz are formulae of Presburger arithmetic). 
For instance \J^ =0 a(K) > is denoted by dm, with the rules do — > ( a (0) > 0) and 
rfsucc(x) - ► dx V a(succ(K)) > 0. Note however, that schemata containing atoms with 
several distinct terms of sort nat, such as Ax=o a (^0 — a(succ(K)) cannot occur in 
Jz. It is also important to remark that the sort int must be distinct from the sort of 
the indices nat (terms of the form d a /jc) are not allowed). 

The class is n °t comparable to the class of SMT-schemata in [3] (the 
latter class may contain formula? of the previous form, at the cost of additional 
restrictions on the considered theory). Let 3\ and v?i be the sets of interpreta- 
tions and formula? fulfilling the conditions of Definitions [5] and [7] The following 
proposition is easy to establish ($o and 5z are defined in Examples [3] and 0} : 

Proposition 1. 3o-satisfiability (resp. 3%- satisfiability) is decidable for base for- 
mulas in Jo (resp. and 3i-satisfiability is semi- decidable for base formulas 
in Ji. 

Before describing the proof procedure for testing the satisfiability of 
schemata, we provide a simple example of an application. It is only intended 
to give a taste of what can be expressed in our logic, and of which properties are 
outside its scope (see also the examples in the Introduction, that can be easily 
encoded). 

Example 5. A (binary) DAG S labeled by elements of type elem can be denoted by a 
function symbol S : DAG — > elem, where the signature contains two constructors of sort 
DAG: a constant symbol _L (denoting the empty DAG), and a 3-ary symbol c(n, I, r), 
where I and r denote the left and right children respectively and n denotes the current 
nodc0. Various properties can be expressed in our logic, for instance the following 
defined symbol A^.' p expresses the fact that all the elements occurring in a DAG 8 
satisfies some property p. 

2 This extra-argument is necessary to ensure that distinct nodes can have the same 
children. 



A 5 f -+ T A% nM -»• A?* A A p(5(c(n, i, r))) 

Obviously this can be generalized to any set of regular positions: for instance, we 
can state that there exists a path from the root to a leaf in the DAG on which all the 
element satisfy p: 

E s f -+ T E% d r) -+ {Ef* V E>*) A p(5(c(n, I, r))) 

5 and p are meta-variables: 5 must be replaced by a function symbol of profile 
DAG — > elem and p can be replaced by any property of elements of sort elem (provided it 
is expressible in the base language e.g. first-order logic). For instance, we can express the 
fact that all the elements of 8 are equal to some fixed value, or that all the elements of 8 
are even. We can check that the following formula is valid: (\/x,p(x) q(x)) => (E s,p => 
E s ' q ). However, the converse cannot be expressed in our setting, because it would 
involve a quantification over an element of type DAG which is forbidden by Condition [2] 
in Definition [7] The formula A s ' p A ->A s ' q A ->A s '^ q is satisfiable on the interpretations 
whose domain contains two elements ex, ei such that p(ei),p(e2), -^q(ex), and q(e2) 
hold (but for instance it is unsatisfiable if p(x) = (x ~ 0)). We can express the fact 
that two DAGs 8 and 8' share an element: 3x, Vy, (p(y) x = y) A -^A s, " p A -^A s •" p . 
We can also define a symbol Map 5 '* 5 '* stating that 8' is obtained from 5 by applying 
some function / on every element of 5: 

Map^' J ' ->• T 

Ma Pc(i';^) Mapf'' 5 ''-' A Map*' 5 ''-' A 5'(c(n, I, r)) = f(S(c(n,l,r))) 

Then, we can check, for instance, that if all the elements of 8 are even and if / is the 
successor function, then all the elements of 8' must be odd: 

(even(0) A (Vai, even(succ(x)) <4> -^even(x)) A A s j^ ven } /\ Map 5 '* ' succ => j[ s A '^ even 

We are not able, however, to express transformations affecting the shape of the DAG 
(e.g. switching all the right and left subgraphs) because this would require to use 
non-monadic defined symbols. 

A\t'*' p,q expresses the fact that all the elements at even positions satisfy p and that 
the elements at odd positions satisfy q: 

Alt 1 ™ -+ T Alt$ft r) -► Altf' 9 ' p A Altf.' 9 ' p A p(J(c(n, /, r))) 

Our procedure can be used to verify that Alt^ p ' 9 A s / Vq . The following defined 
symbol p s ' s ' s states that a DAG 5" is constructed by taking elements from 8 and 8' 
alternatively: 

s,s',s" , -r 

Pci'M^Pi'' 5 ' 5 " AS " A*"(c(n,I 1 r)) = *(c(n,I,r)) 
We can check that if the elements of <5 and 5' satisfy Properties p and g respectively, 
then the elements in 5" satisfy p and g alternatively: (pjf* }S AA S A P AA A ' q ) A\t s A ' p,q . 

Notice that, in this example, the subgraphs can share elements. Thus it is not 
possible in general to reason independently on each branch (in the style of automata- 
based approaches): one has to reason simultaneously on the whole DAG. Other data 



structures such as arrays or lists can be handled in a similar way. An example of 
property that cannot be expressed is sortedness. Indeed, it would be stated as follows: 

Sortf( n i r ) — > Sortf A Sort^ 4 A 8(c(n, I, r)) > Si A 5(c(n, I, r)) > 5 r 

However, the atom 5(c(n, I, r)) > Si is not allowed in our setting: since it contains 
several parameters, it contradicts Condition [3] in Definition [7] 

3 Proof Procedure 

In this section, we present our procedure for testing the 3-satisfiability of ad- 
missible formulae. We employ a tableaux-based procedure, with several kinds of 
inference rules: Decomposition rules that reduce each formula to a conjunction 
of base formulae, equational literals, and denned literals; Unfolding rules that 
allow to unfold the defined atoms (by applying the rules in 9t); Equality rules 
for reasoning on equational atoms; and Delayed instantiation schemes that re- 
place a parameter A by some term /(Si, . . . , B n ), where / is a constructor and 
Si, ... , B n are new constant symbols. We consider proof trees labeled by sets of 
formulae. If a is a node in a tree T then T(a) denotes the label of a. A node is 
closed if it contains _L. As usual, our procedure is specified by a set of expansion 

rules of the form — . . — — with n > 1, meaning that a non-closed leaf 

node labeled by a set # D (up to a substitution of the meta-variables) may 
be expanded by adding n children labeled by (<£ \ <?) U W\ , . . . , \ <?) U W n 
respectively. We assume moreover that the formulae !?i , . . . , \P n have not already 
been generated in the considered branch (to avoid redundant applications of the 
rules). For any tree T, we write a >j- (3 iff j3 is a child of a. >%- denotes as usual 
the reflexive and transitive closure of >q-. 

We need to introduce some additional notations and definitions. For any 
interpretation / and for any element v in the domain of /, we denote by depth J (u) 
the depth of the constructor term denoted by v, formally defined as follows: 
dcpthj(w) = if v is in D s and s ^ I, otherwise depth J ([/(ii, . . . , i n )] 7 ) = 
1 + max({depth 7 ([ti] 7 ) | i 6 [l,n]}), with the convention that max(0) = 0. 
It is easy to check that the function v h-> depth J (u) is well-defined, for every 
interpretation I £ 3. 

For the sake of readability, we shall assume that there exists a function symbol 
depth such that: depth 1 (v) = depth J (w). The formula max(E) ~ t (where E is a 
finite set of terms) is written as a shorthand for /\ s£E (s < t) A \f s£ e( s — ^ 
E ^ and for ~ t if E = 0. 

Let T be a tree and let a be a node in 7 '. A parameter A is solved in a if the 
only formula of T(a) containing A is of the form A ~ B where B is a parameter. 
An equation A ~ B is solved in a if A is solved. Notice that ~ is not considered 
as commutative. For every set of formulae <P, Eq(^) denotes the set of equations 
in <P and NonEq(^) = <S> \ Eq(^). A renaming is a function p mapping every 
parameter to a parameter of the same sort, such that p(N) — N. Any renaming 
p can be extended into a function mapping every formula to a formula p((f>), 



obtained by replacing every parameter A occurring in by p(A). Let <P and & 
be two sets of formulae. We write <P □ iff there exists a renaming p such that 
p{&) C <2>. 

A proof tree for ^ is a tree constructed by the rules of Figure Q] below and 
such that the root is obtained by applying Start on 4>. We assume that V- 
Decomposition and A-Decomposition are applied with the highest priority. 

Most of the rules in in Figure [T] are self-explanatory. We only briefly comment 
on some important points. 

Start is only applied once, in order to create the root node of the tree. 
The label of this node contains the formula at hand together with an additional 
formula stating that the max of the depth of the constructor terms represented 
by the parameters must equal to some natural number N. 

The decomposition and closure rules are standard. However, we do not use 
them to test the satisfiability of the formula, but only to decompose it into a 
conjunction of defined atoms, equational literals and base formulas. This is always 
feasible, thanks to the particular properties of formulae in # (see Definition [7]) . 
Notice that the separation rule has no premises. The only requirement is that A 
and B occur in the considered branch. 

Unfolding replaces a defined atom by its definition according to the 
rules in This is possible only when the head symbol and arguments of the 
term represented by A are known. 

^-Decomposition decomposes equalities, using the specific properties of ~- 
decomposable interpretations: if a node contains two equations A ~ t and A ~ s 
then the formula A(t ~ s) necessarily holds. ^-Decomposition performs a 
similar task for inequalities. 

Several rules are introduced to reason on the depth of the terms represented 
by the parameters. The principle is to separate the parameters representing terms 
of a depth exactly equal to N from those whose depth is strictly less than N 
(so that only the former ones may be instantiated). By definition of Start, the 
initial node must contain an equation depth(A) < N for each parameter A ^ N. 
Strictness expands this inequality by using the equivalence x -< y (x -< 
y V x ~ y). Then V-Decomposition will apply, yielding either x -< y or x ~ y. 
^-Decomposition gets rid of strict equalities of the form depth(A) -< succ(i) 
that are introduced by iV-ExPLOSlON. 

The Explosion rules instantiate the parameters, which is done by adding 
equations of the form A ~ f(B), where B is a vector of fresh parameters. 

Explosion instantiates the parameters distinct from N. We choose to in- 
stantiate only the parameters representing terms of maximal depth, and only 
after N has been instantiated. Thus we instantiate a parameter B only if there 
exists an atom of the form depth(B) ~ t, where t is of the form succ(s), for 
some s € {0, N}. Explosion enables further applications of Unfolding, which 
in turn may introduce new complex formulae into the nodes (by unfolding the 
defined symbols according to the rules in 91) . 

iV-ExPLOSlON instantiates the parameter N. Since the depth of the terms 
of a sort in X is at least 1 and since N is intended to denote the maximal depth 



of the parameters, N cannot be 0, thus it is instantiated either by succ(0) or by 
succ(iV). Unlike the other parameters, direct replacement is performed. This rule 
is applied with the lowest priority. Hence, when the rule is applied, all parameters 
of a depth strictly greater than N must have been instantiated. By replacing N 
by a term of the form succ(i), the rule will permit to instantiate the parameters 
of depth N — 1. This strategy ensures that the parameters will be instantiated 
in decreasing order w.r.t. the depth of the terms they represent. 

Loop is intended to detect cycles and prune the corresponding branches, 
by closing the nodes that are subsumed by a previous one. It only applies on 
some particular nodes, that are irreducible w.r.t. all rules, except (possibly) N- 
Explosion. We shall call any such node a layer. This rule can be viewed as an 
application of the induction principle. If <P □ & then it is clear that if' is a logical 
consequence of <P, up to a renaming of parameters. Thus, if some open node 
exists below a node labeled by <P, some other open node must exist also below 
a node labeled by <P, hence the node corresponding to <P may be closed without 
threatening soundness (a satisfiable branch is closed, but global satisfiability is 
preserved). Since if' is a layer, the parameter N must be instantiated at least 
once between the two nodes, which ensures that the reasoning is well-founded 
and that there exists at least one open node outside the branch of <P . 

At first glance, it may seem odd to remove equations from $ and !f before 
testing for subsumption (see the application condition of Loop). Indeed, it is 
clear that this operation does not preserve satisfiability in general. For instance, 
the formula p(A) A -<p(B) A ds A A ~ is unsatisfiable if d is defined by the 
rules: d — > T and d SUC c(K) — > -L. However, p(A) A^p(B) Ads is satisfiable (with 
A 1 7^ 0). In the context in which the rule is applied however, it will be ensured 
that satisfiability is preserved. The intuition is that if an equation such as A ~ 
occurs in the node, then A must have been instantiated previously, hence the 
term represented by A must be of a depth strictly greater than N. Due to the 
chosen instantiation strategy, all parameters of depth greater or equal to that 
of A, must have been instantiated (this property is not fulfilled by the previous 
formula: B should be instantiated since its depth is at most 1 by definition). 
Then it may be seen that the interpretation of the remaining formulas does not 
depend on the value of A, since the depth of their indices must be strictly less 
than that of A. Note that the removal of equations is essential for ensuring 
termination. 

We provide a simple example to illustrate the rule applications. 

Example 6. Consider the formula Vx-ip(x) A dA, together with the rules: d a — ¥ p(b) 
and df( x ,y) d x A d y (where C = {a:s, f:sxs->s. 0, succ} and profile(A) = s). 
The root formula is \/x->p(x) A cZa A max({depth(A)}) ~ N. By normalization using 
A-Decomposition we get {Vx ~<p{x), d_\, depth(A) ~ N}. No rule applies, except N- 
Explosion, which replaces by succ(0) or succ(Af). In both cases, Explosion applies 
on A. In the first branch, the rule adds the formula A ~ a and in the second one, it yields 
A ~ f(B,C) (where B, C are fresh parameters). In the former branch, Unfolding 
replaces the formula dA by p(b), then an irreducible node is reached. In the latter 
branch, the formulae dn and dc are inferred. Then Loop applies, using the renaming: 



p(A) — B or p(A) — C, hence the node is closed. The only remaining (irreducible) node 
is {p(b), Vs -ijj(x)}. The unsatisfiability of this set of formula can be easily checked. 

The following example shows evidence of the importance of the depth rules: 

Example 7. Consider the formula: p(A) A d,A Acb with the rules d succ ( x \ — > d x , do — > T, 
Csuccf^) -L an d Co —¥ -^p(0). If the parameters were instantiated in an arbitrary order, 
then one could choose for instance to instantiate A by succ(A'), yielding an obvious 
loop (indeed, the unfolding of dA yields d^ , thus it suffices to consider the renaming 
p(A) = A' and p(B) — B). Then the only remaining branch corresponds to the case 
A ~ 0, which is actually unsatisfiable. This trivial but instructive example shows that 
reasoning on the depth of the parameters is necessary to ensure that the model will 
eventually be reached. In this example, the depth of A is maximal and that of B is 
not, e.g.: A ~ succ(0) and B ~ 0. The problem stems from the fact that Loop is not 
sound in general, since equational atoms are removed from the formulae before testing 
for subsumption (the removal of such atoms is crucial for termination). 



4 Properties of the Proof Procedure 

This short section merely contains the theorems formalizing the main properties 
of the proof procedure. All proofs can be found in the Appendix. We first state 
that the previous rules are sound. 

Theorem 1. Let T be a proof tree for a formula <fi. If T is closed then <p is 
unsatisfiable. 

We then state that the procedure is complete, in the sense that the satisfia- 
bility of every irreducible node can be tested by the procedure for base formulae. 

Theorem 2. Let T be a proof tree. If a is a node in T that is irreducible by all 
the expansion rules then T{a) is 3-satisfiable iff NonEq(7~(a)) is. Furthermore, 
NonEq(7"(o:)) is a set of base formulas. 

We finally state that the procedure is terminating. 
Theorem 3. The expansion rules terminate on every formula in 

Corollary 1. If the satisfiability problem is decidable (resp. semi-decidable) for 
base formulas in $ then it is so for all formulas in J. 

5 Conclusion 

We have proposed a proof procedure for reasoning on schemata of formulae (de- 
fined by induction on an arbitrary structure, such as natural numbers, lists, trees 
etc.) by relating the satisfiability problem for such schemata to that of a finite 
disjunction of formulae in the base language. Our approach applies to a wide 
range of formulas, which may be interpreted in some specific class of structures 
(e.g. arithmetics). It may be seen as a generic way to add inductive capabilities 



Start Where <f> denotes the formula at hand 

<b, max({depth(Ai) \ i € [1, n]}) ~ TV A\, . . . , A n are the parameters in <b 

_ 6 V ib _ 6 A ib If <f> A ib is 

V-Decomposition: , I , A-Decomposition: —. — j— . . , 

(p \ ip (p,ip not a base formula 

Closure: - ~-Closure: — ^ — TV-Closure: ° 



UnF oldin G: ^j^P iP = d HB) U[A/f m ,A^f(B) 



ip,A~ /(B) NNF(^ip), A^B,A~ /(B), B ~ S (C) 

Wftere V = 4(/(B) ~ g(C)^ 



Replacement: ^Tgy^] g -V A and 73 are too parameters and A occurs in 

depth(A) -< N ^ i X succ(TV) 

Strictness: — ; — r7 - r r — ^ — , , , , . — ^-Decomposition: 



depth(A) ~ TV V depth(A) -< TV J " ' t^N 

depth(A) -< TV, depth(B) ~ TV 
^-Separation: — ; — , , . . — ^ — , . „. — 4——; — r-^- Separation: 



depth(A) -< TV, depth(B) ~N,AgkB A ~ B V A B 



depth(B) ~ succ(i) 
Explosion v ; — 



Vie[l,n] max ( E i) - 1 A 



7/ti are terms of the form fi(Ai), such that fi, . . . , f n are all the function 
symbols of the same sort as B, and the At 's are vectors of pairwise distinct, 
fresh, constant symbols of the appropriate sort, and E t is the set of terms 
depth(C), where C is a component of Ai of a sort in I. 



TV-Explosion 



<2>[succ(0)/TV] <2>[succ(TV)/TV] 



If no other rule applies and TV occurs in $. Notice that in contrast with 
the previous rules, <I> must denote the whole label (not a subset of it) 



Loop ^ If there exists in the same branch a (non leaf) layer labeled by 

_L a set of formula; 9 such that NonEq(^) □ NonEq(tf') 



See Definition [4] for the definition of A(t ~ s) 



Fig. 1. Expansion rules 



into logical languages, in such a way that the main computational properties of 
the initial language (namely decidability or semi-decidability) are preserved. To 
the best of our knowledge, no published procedure offers similar features. There 
are very few decidability or even completeness results in inductive theorem prov- 
ing and we hope that the present work will help to promote new progress in this 
direction. Future work includes the implementation of the proof procedure and 
its extension to non-monadic defined symbols. 
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6 Proof of Proposition Q] 



Proof. Since the base formulae contain no equations between elements of sort 
nat, we can assume that all parameters are mapped to distinct natural numbers 
(it is clear that this operation preserves satisfiability). Then any formula in #o 
(resp. Jz, resp. ^l) is essentially equivalent to a propositional formula (resp. to 
a formula of Presburger arithmetic, resp. to a first-order formula). 

7 Proof of Theorem CO 

We begin by showing that Start preserves satisfiability: 

Lemma 1. For every proof tree T of root a for <j), <p is 3-satisfiable iff T(a) has 
a model I G 3. 

Proof. By definition, T(a) is of the form {cj>} U {ma,x({depth(Ai) \ i S [l,n]}) ^ 
N}, where {Ai, . . . , A n } is the set of parameters occurring in 4> and N does 
not occur in cf>. Obviously, if T(pt) is satisfiable, then <fi also is. Conversely, let / 
be a model of <f>. Let J be the interpretation coinciding with /, except for the 
interpretation of N that is defined as follows: 

[N] J ^maxjdepth^IA,] 7 ) | i e [l,n]} 

Since / and J coincide on every symbol occurring in (j) we must have J \= 
<p. Furthermore, since / and J have the same domain and coincide on every 
constructor symbol, we must have depth 7 (w) = depth j(v) for every element v. 
Consequently, for every i 6 [l,n] we have: depthj(L4i] J ) = depthjQAi] J ) = 
depth J ([A 4 ] / ) (since A, ^ N), hence J |= depth{A t ) < N. Thus J |= T{o). 

We then show that most expansion rules preserve logical equivalence. 

Lemma 2. The rules: V-Decomposition, A-Decomposition, Closure, 
TV-Closure, ^-Closure, Unfolding, ^-Decomposition, Replacement, 
Separation, Strictness, -< -Separation and ^-Decomposition are sound 
and invertible, i. e. for every proof tree T and for every node a in T on which 
one of these rules is applied, we have, for every interpretation I G 3: 

I\=T{a) iff3f3,p< T ctM^T{[3). 

Proof. We consider each rule separately. 

— Decomposition Rules. The proof is straightforward. 

— Equality Rules. 

• ^-Decomposition: The node a is labeled by <£> U {A ~ 
f(Ai, . . . , A n ), A ~ g(Bi, . . . , B m )} and has only one child /3 labeled by 
«PU{4(/(Ai, . . . , A n ) ~ g{B 1 , . . . , B m )), A ~ f(A u . . . , A*)}. Obviously, 
T(a) = $U{/(4..,A„) ~ g{B u ...,B n ),A ~ f(A u ...,A n )}. By 
Condition [2] in Definition [6j we have f{A\i • • • j A n ) ~ g(Bx, . . . , B m ) =j 
A(f(A 1: . . . , A n ) ~ g(B u . . . , B m )). Thus 7» =j T(/3). 



• ^-Decomposition: The proof is similar. 

• Separation: We have A~BVi4^5 = T, hence the proof is immedi- 
ate. 

• Replacement: Obviously, 4> A A ~ B = $[B/A] AA~B. 

• ^-Closure: By definition, A^AeI. 
Depth Rules. 

• Strictness: By definition of the interpretation of < and -<, we have 
depth(A) < N = (depth(A) ~ N V depth(A) -< N). 

• ^-Separation: By definition of the interpretation of -<, if I (= A ~ B 
then / |= depth(A) ~ depth(B), thus depth(A) ~< N A depth(B) ~ N = 
depth(A) -< N A depth{B) ~NAA^B. 

• ^-Decomposition: By definition of the interpretation of -< and succ, 
we have depth(A) -< succ(iV) = depth(A) ^ AT. 

Unfolding Rule. 

• Unfolding: The node a is labeled by a set of formulas $ U {c^} U {^4 ~ 
f(B)}. Moreover, a has only one child /3 labeled by: # U {-0} U {^4 ~ 
/(£?)}, where "0 is the formula obtained from df(B)-l?ft by replacing every 
occurrence of f(B) by A. If / ^= A ~ /(-B) then we have obviously 
T(a) =/ T(/3) =i _L. Otherwise, -0 =j d/(B) Iff! an d =/ ^/(b)- 
Furthermore, by Condition [1] in Definition^ we have rf/(s) =i <^/(B)4-5t- 

Thus T(a) =i res). 

We now prove that the remaining rules (except Loop) preserve 3- 
satisfiability. We first need to analyze the form of the formulas containing depth 
occurring in the proof tree: 

Lemma 3. A depth-atom is an atom containing the depth function symbol. Let 
T be a proof tree and let a be a node in T . If <fi is depth-atom occurring in a 
formula ip G T(a) then: 

— ip is a boolean combination of depth-atoms. 

— (f) is of the form depth(A) < t, where < G {~,^,^} and t G 
{N, succ(7V),succ(0)}. 

— If a is a layer, then < G {~, -<}. 

Proof. The only rules that can introduce formulas containing depth are Start, 
Strictness, ^-Decomposition and Explosion. It is clear, by inspection of 
these rules, that the added formulas fulfill the above properties. Moreover, if a is 
a layer then by irreducibility w.r.t. V-Decomposition and A-Decomposition, 
ip must be an atom. By irreducibility w.r.t. STRICTNESS, < cannot be < and 
by irreducibility w.r.t. Explosion, t must be N. iV-ExPLOSiON can affect the 
right-hand side of a depth-atom by replacing N by succ(iV) or succ(O). However, 
due to the control, this rule is only applied on layers, thus the right-hand side 
must be N, hence no formula of the form succ(succ(t)) can be introduced. 

Lemma 4. The rules Explosion and TV-EXPLOSION preserve satisfiability: 
for every proof tree T and for every node a in T on which one of these rules is 
applied and for every interpretation I G 3, the following properties are equivalent: 



- /(=T(«). 

— There exists (3 <j- a and J £ 3 such that the following conditions hold: 

• J\=T{fi. 

• For every symbol s distinct from N and occurring in T(a), we have 
s J = s 1 . 

• If N -EXPLOSION is applied on a then N J = N 1 — 1, otherwise N J = N 1 . 
Proof. Again, we need to distinguish two cases. 

- EXPLOSION: By definition, a is labeled by <PU {depth(B) ~ succ(£)} and its 
unique child j3 is labeled by •P\j{\J i£ ^ 1 n i max(Ei) ~ t AB ~ ti}, where t{ is of 
the form and Ei is the set of terms depth(C) where C is a component 
of A, of a sort in X. Let / be a model of T(a). By Point [3] in Definition 
[51 [-B^ is equal to [fi(s)] 1 for some i 6 [1, n] and for some vectors of terms 
s. Let J be the interpretation coinciding with /, except on the constant 
symbols of Ai that are interpreted in such a way that [Ai] = [s] 1 (this is 
possible since Ai is a vector of fresh, distinct, constant symbols). We have 
J \= B ~ ti. Furthermore, by definition, depth j(B) = 1 + maxjdepth j(C) | 
C occurs in Ai}. Thus, since we have depthj(v) = if v is of a sort in S\X, 
dcpth 7 (£?) = 1+maxcefij depthj(C). But since / |= depth(B) ~ succ(t), we 
have depthj(B) = [t] 1 + 1, thus depth, (B) = [t] 1 + 1 and J \= max(Ei) ~ t. 
Hence J |= 

Conversely, if J \= T(/3), then J |= B ~ i i; for some z g Then by 

definition of depth, (ti), we have depth, (ti) = 1 + max(Ei), hence since 
J \= max(-Ej) ~ i, we have J |= depth(B) ~ succ(f). 

— A^-EXPLOSION: a is labeled by <P and has two children, j3i and fa, labeled 
respectively by <P[succ(0) / N] and ^[succ(AT)/iV]. Let / be an interpretation 
validating <P. By definition, N occurs in which means that <P contains 
a formula of the form depth(A) < t, where N occurs in t. By Lemma [3j 
t must be N, thus, since / f= depth(A) < N, necessarily [N] 1 > (since 
depth, (A) > 0). If [N] 1 = succ(0) then obviously I \= T(fa). Otherwise, 
let J be an interpretation coinciding with / except that [N] J = [N] 1 — 1. 
Obviously, we have J \= <P[succ(N)/N], thus J |= T(fa). The converse is 
immediate. 

We write a >r,fc /? iff a >S- /3 and there exists exactly k applications of 
iV-ExPLOSlON in the branch from a to fa 

Corollary 2. Let T be a proof tree. Then: 

- Ifl\= T(fa) and a > r , fc (3 then I[([NY + k)/N] \= a. 

— If I \= T(a) then there exists a leaf (3 such that a >T,fc P an d on interpre- 
tation J such that J \= T(fa), I and J coincide on any symbol occurring in 
T(a) distinct from N and [N] J = [N] 1 - k. 

Proof. This is an immediate consequence of Lemmata [2] and |4l 



There only remains to handle the case of the Loop rule, which is actually the 
most complex one. To this aim, we need to introduce some additional definitions 
and lemmata. 

Definition 8. A parameter A is instantiated in a node a of a proof tree T 
iff T{a) contains a formula of the form A ~ f(B). It is A-controlled if T{a) 
contains a formula of the form depth(A) < t with < £ {-<, ~, X}. 

Definition 9. A node that is irreducible by V-DECOMPOSITION and A- 
Decomposition is decomposed. 

We write a >t (3 if a is non-decomposed and a >j- (3. Due to the control, f3 
is obtained by applying V-Decomposition or A-DECOMPOSITION. 

Proposition 2. Let T be a proof tree. Let a >j- (3. 

1. If A is instantiated in a and not solved in (3 then it is also instantiated in (3. 

2. If A is N -controlled in a and if a >j- (3 then A is N -controlled in (3. 

Proof. 1. If A is instantiated in a then T(a) contains a formula of the form 
A ~ f(B). Since A cannot be replaced, it is easy to check (by inspection 
of the expansion rules) that no rule can remove such a formula (except ~- 
DECOMPOSITION, but in this case another formula of the form A ~ g(C) 
occurs in the node). Thus A is instantiated in (3. 
2. This is immediate since V-Decomposition and A-DECOMPOSITION cannot 
delete non-complex formulae. 

Lemma 5. Let T be a proof tree. Let a be a non-closed decomposed node in T . 
Every parameter distinct from N occurring in T(a) that is neither solved nor 
instantiated is N -controlled in a. 

Proof. The proof is by induction on the depth of a in T ■ 

Assume first that all the parent nodes of a are non-decomposed. Since V- 
DECOMPOSITION and A-DECOMPOSITION are applied with the highest priority, 
this implies that 7 >£- a, where 7 is the root of T. These rules cannot introduce 
new parameters hence A occurs in 7~(7). Thus, by definition of Start, T(j) must 
contain exactly one formula of the form depth(A) < N. Hence A is iV-controlled 
in 7. By Proposition [2] (Point [2]) , it must be iV-controlled in a. 

Now assume that there exists a node (3 >^ a that is irreducible by V- 
DECOMPOSITION and A-DECOMPOSITION. We assume that /3 is the deepest node 
having this property. Then there exists a node A such that (3 >r A a. We 
distinguish two cases. 

— Assume that A occurs in T(/3). By Proposition [2] (Point [T]), A is also 
non-instantiated in (3. By the induction hypothesis, (3 contains a formula 
depth(A) <t. If A is iV-controlled in A then the proof follows immediately 
from Proposition [5] (Point \2§ ■ Now assume that A is not A^-controlled in 
A, i.e., that the rule applied to (3 deletes the formula depth(A) <t. By in- 
spection of the expansion rules, it can be seen that the only rules that can 



delete such a formula are -^-Decomposition, Strictness, and Explo- 
sion (note that TV-EXPLOSION can only affect t and since A occurs in a, 
Replacement cannot be applied on (3). ^-Decomposition replaces a for- 
mula depth(A) -< succ(-ZV) by depth(A) ^ TV, hence A is TV-controlled in A, 
which is impossible by assumption. If Strictness is applied on depth(A) <\t 
then a formula of the form depth(A) ~ TV V depth(A) < TV occurs in T(A). 
Since a is decomposed, T{pt) contains either depth(A) ~ TV or depth(A) ^ TV, 
hence A is TV-controlled in a. If Explosion is applied and deletes depth(A)<t 
it must simultaneously introduce an equation of the form A ~ /(. . .), thus 
A is instantiated in A, hence, by Proposition [5] (Point [TJ, also in a, a con- 
tradiction. 

— Now, assume that A does not occur in T(/3). The only rule that can introduce 
a new parameter A is EXPLOSION, but this rule simultaneously introduces 
a formula max(E) ~ TV, where A e After some decomposition steps, 
an atom of the form depth(A) ~ TV or depth(A) ^ TV must occur in every 
branch. Thus the property remains true. 

Definition 10. Let I be an interpretation, let A be a parameter of sort s and 
let v be an element of s 1 . We denote by X(I, A, v) the I-mapping for I such that 
X(v) = A 1 and A(e) = e for every e ^ v, and by J(I,A,v) the interpretation 
obtained from X(I) by replacing the value of every parameter B such that I \= 
B ~ A by v. 

Proposition 3. Let <f> be a base formula. Let I be an interpretation, let A be 
a parameter of sort s and let v be an element of s 1 . If for all parameters B 
occurring in cf>, we have B 1 ^ v, then: 

1. For every term t of a sort s' I occurring in <f>, we have \tY^ I,A,v ^ = [t] 1 . 

2. For every subformula ip of <f), [rfi] J ( I > A < V > = [t/j] 1 . 

Proof. The proof is by structural induction on t and ip. We only give the detailed 
proof for t, since the inductive cases for if are straightforward (since base formulas 
cannot contain equations between terms of a sort in I). 

Let J = J(I, A, v) and A = A(/, A, v). If t is a variable, then / and J coincide 
on x, thus we have [t] J = [t] 1 . Assume that t is of the form /(ti, . . . , t n ), where 
/ is a function symbol of profile si x ■ • • x s n — > s. By definition of X(I), we have 

[ t y = f i (x([t 1 y ),..., x([t n y)). 

By the induction hypothesis, for every i £ [l,m], if Si ^ I then [ti] J = [ti] 1 , 
thus A([tj] J ) = [ti] 1 (since A is the identity on any element distinct from v, hence 
on any element of the domain of a sort non occurring in I). 

Now, assume that there exists i S [1, n] such that ti is of an inductive sort. 
Since t occurs in </>, it cannot contain any constructor symbol (by Condition [2] 
in Definition [7]) , hence ti must be a parameter. If I (= ti ~ A, then A([t,] ) = 
X{v) = [A] 1 = [U] 1 . Otherwise X([U] J ) = X([uY) = [ti] 1 . 

Thus for all i G [1, n], X{[U] J ) = [U] 1 and [t] J = / / ([ti] / , . . . , [tn] 1 ) - [t] 1 . 

Proposition 4. Let T be a proof tree. Let a be a layer in T. Let I be a model 
of Tip)- If A is neither solved nor instantiated in a then depth j ( L4] 1 ) < [N] 1 . 
If A is instantiated in a then dcpth 7 ( L4] 1 ) > [TV] 7 . 



Proof. The first point is a direct consequence of Lemma [SJ Let A be a parameter 
that is instantiated in a. Then T(a) must contain a formula of the form A ~ 
f(Bi, . . . , -B„). The only rule that can introduce such a formula is EXPLOSION. 
Thus there must exist a node j3 a on which EXPLOSION is applied, yielding a 
formula of the form A' ~ f(B[, . . . , -B^). Furthermore, A' must be reduced to A 
by Replacement, hence there exist k nodes Ai, . . . ,A k with A 1 = A, A k = A' 
and for all i g — 1], there exists a node 7,; such that /3 >j- 7$ >^ a 
and Aj ~ A i+1 e T(ji). By definition of EXPLOSION, T(/3) contains a formula 
depth(A') ~ succ (iV). By CorollaryU there exists Z e N such that /[[A 7 ]' + //TV] 
validates the formula depth(A') ~ succ(AT) and all the formulae ~ Ai + i 
(1 < i < k - 1). Then we must have depth / (A) = [succ(iV)] / + Z > [A 7 ] 7 . 

Proposition 5. Lei T be a proof tree. Let a be a layer in T. Any equation 
between parameters occurring in T(a) is solved. 

Proof. If T(a) contains a non-solved equation A ~ B then by definition RE- 
PLACEMENT would apply. 

Lemma 6. Let T be a proof tree. Let a be a layer in T. If I \= NonEq(T(a)) 
then there exists an interpretation J such that J \= T{a) and [N] J = [N] 1 . 

Proof. We denote by RmEq(^) the set obtained from <L> by removing all formulas 
of the form A ~ f{B). 

If / |= NonEq(T(a)) then it is obvious that there exists an interpretation I' 
such that I' \= RmEq(T(a)): indeed, all the formulae occurring in RmEq(T(a)), 
but not in NonEq(7~(Q!)) are equations between parameters, which must be 
solved by Proposition [SJ Thus it suffices to interpret each solved parameter A 
in the same way as the - necessarily unique - parameter B such that A ~ B 
occurs in RmEq(T(a)). 

N cannot be solved, thus [N] 1 = [N] 1 . By definition, the solved parame- 
ters cannot occur in NonEq(7~(Q!)), thus / and /' coincide on any formula in 
NonEq(T(a)) and /' |= NonEq(T(a)). Moreover, /' validates all solved equa- 
tions, by definition. 

Let > be a total order on parameters such that A > B if depth 7 (A) > 
depth J (B). 

For any parameter A, we denote by RmEq'(<£, A) the set of formulas obtained 
from <P by deleting all formulae of the form B ~ f{B) where B > A. We shall 
show, by induction on A, that one can construct an interpretation J such that 
J |= RmEq' (T(a), A) and [N] J = [N] 1 ' . Then the result will follow, simply by 
instantiating A with the <-maximal parameter. 

Assume that J has been constructed for the greatest parameter C such 
that A > C (if A is minimal, then we simply take J = /'). If T(ct) contains 
no formula of the form A ~ f(Bx, ■ ■ ■ ,B n ) then obviously RmEq'(T(a), A) = 
RmEq'(T(o!), C) and J |= RmEq' (T(a), A). Thus we assume that T(a) contains 
such a formula. Since a is a layer, by irreducibility w.r.t. ^-Decomposition, 
this formula must be unique. Let v = [/(£>i, . . . , B n )Y . Let A = A(7, v, A) and 
K = J(J,v,A). 



We first show that for all parameters in RmEq'(T(a), A), we have [A') J ^ v. 
Notice that, by definition, A' cannot be solved in a. If A' is non-instantiated 
then by Proposition 21 we have depthj(A') < N. Moreover, since A is instanti- 
ated, we have, still by Proposition 01 depthj(A) > n, thus depth J (w) > n and 
[A'] J 7^ v. If A' is instantiated, T(a) contains a formula A 1 ~ g(B[, . . . , B' k ). By 
irreducibility w.r.t. SEPARATION, T(a) contains A A' . By irreducibility w.r.t. 
^-Decomposition, T(a) must contain a set of disequations E between ele- 
ments of B x , , . . , B n , B[ , . . . , B' k such that E (= f(B u B n ) g(B[,. . . , B' k ). 
But E C RmEq' (T(a), A), thus J |= A, whence L4'] J ^ L4] J . 

By definition it" (= A ~ f(Bi,...,B n ). Let be a formula occurring in 
RmEq' (T(a), A). We know that J (= <f>. We prove that A |= (f>. 

By Proposition [31 if is a base formula then [cf>] J = [4>] K , thus A" |= 4>. 

If </> is of the form depth(A')<N, for some < € {~, -<} then by Proposition 
[U A' cannot be instantiated, hence A 1 ^ A and J, A coincide on 4>, thus AT (= 0. 

If <fi is of the form A' = g(B[, . . . , B' m ) then we have A' < A, hence 
B[,...,B' m < A, thus J and K coincide on A, B[, . . . , B' m and the proof is 
immediate. 

If (j> is of the form B ~ C or £> ^ C then by definition of A we have A (= </>. 

Proposition 6. □ and i" |= <2> i/ien iftere exists an interpretation J such 
that [N] J = [N] 1 and J \=W. 

Proof. By definition, we have p{fy) C <£, for some renaming p. It suffices to 
consider the interpretation J coinciding with I except that every parameter A 
is mapped to [p(A)] 7 . It is clear that for every expression e, [e] J = [p(e)Y . Since 
I (= we have / ^= p(tf'), hence J |= 

A proof tree 7" is 3-satisfiable iff there exists a leaf node a in T such that 
T(a) is 3-satisfiable. 

Lemma 7. Loop preserves global satisfiability i.e. if T is 3-satisfiable then 
any proof tree T' obtained from T by applying LOOP is also 3-satisfiable. 

Proof. Let a be the node on which Loop is applied. T' is identical to T except 
that a has a child (3 whose label contains _L. Obviously, if T 7 is satisfiable then 
so is T (since all 3-satisfiable leaves of T 1 are in T). 

Conversely, let 7 be the root of T and let / be a model of T(j) such that the 
interpretation of N is minimal (i.e. if [N] J < [N] 1 then J Y= T {')))■ By Corollary 
[2] there exists a leaf a' in T and an interpretation J such that J |= T(a'), 
7 >T.fc a ' an d [J] N = [I] N — k. If a' is distinct from a, then a' is a leaf in T 1 
and the proof is immediate. Thus we assume that a 1 = a. By definition of Loop, 
there exists a node (3 >j- a such that NonEq(<£) □ NonEq(!f r ), with T{a) = <P 
and T{0) = By Proposition [SJ there exists an interpretation J' such that 
J' \= RmEq(if r ) and [N] J = [N] J . By Lemma [51 there exists an interpretation 
J" such that J" \= & and [N] r = [N] J . 

By definition, there exist k' and k" > such that 7 >r.fc' P >r,fc" a j where 
k = k' + k" . By Proposition [SJ there exists an interpretation A such that A |= 



T(a) and [N] K = [N] J = [N] 1 - k. By Corollaryd J"[([N] J + k')/N] \= T{i). 
But the value of N in J"[[N] J + k'] is [N] 1 - k + k' = [N] 1 - k" . Since k" ^ 
this contradicts the minimality of /. 

Main proof 

This follows immediately from the previous lemmata. 
8 Proof of Theorem [2] 

Lemma 8. Let T be a proof tree. Let a be a layer in T, Let <\> be a formula in 
NonEq(7~(a)). One of the following conditions holds: 

— <p is a base formula. 

— $ is of the form dA where A is a parameter. 

— <f> is of the form depth(A) < N, where < G {-<, ~}. 

— (j) is of the form A c/k B , where A, B are parameters. 

Furthermore, if A and B are two non solved parameters occurring in T{a) then 
Ac£BeT(a). 

Proof. Let be a formula occurring in NonEq(7"(a)). By definition, <j) cannot 
be an equation. If <j> contains a depth-atom then by Lemma [3] it must be of 
the form depth(A) < N, where < S {-<, ~}. Otherwise, <j) must be a subformula 
introduced either by Start or by Unfolding (up to a renaming of parameters) . 
Hence (j> must be in J. If <fi is not a base formula then V-Decomposition or 
A-Decomposition applies. 

Finally, if A and B are two parameters occurring in T(a) then by irreducibil- 
ity w.r.t. Separation, either A ~ B (or B ~ A) occurs in T(a) (in which case 
A or B is solved) or A B £ T{a). 

Main proof 

The first point follows from Lemma [HI 

By Lemma we only have to prove that T(a) contains no depth-atoms and 
no defined atoms. 

Assume that T(ot) contains an occurrence of N . Then since no other rule 
applies, iV-ExPLOSlON must apply, which is impossible. Thus N does not occur 
in T(ot). This implies that T{a) contains no depth-atoms. But then by Lemma 
[5l this implies that all non solved parameters occurring in T(a) are instantiated. 

Assume that T(a) contains a defined symbol d. By irreducibility w.r.t. V- 
Decomposition and A-Decomposition, this defined symbol must occur in a 
formula dA £ 7~(ot). Since A is instantiated then Unfolding applies, which is 
impossible. 



9 Proof of Theorem [3] 



We define the following measures on formulae: 

Definition 11. Let a be the maximal arity of the symbols in S. We denote 
by weight a function mapping every term, atom or literal to a natural number, 
defined as follows: 

1. weight (A) = 1 if A is a parameter. 

2. weight (f(ti, . . . , t n )) = 1 + Ef_ x weight(ti) if f ^ depth, succ. 

3. weight (depth(t)) = weight (t). 

4- weight (succ(i)) = 3 + a + weight(t). 

5. weight (t ~ s) = weight(t -< s) = weight(t) + weight(s) + 1. 

6. weight(-i(f>) == J 1 + weight((p). 

7. weight (t X s) = weight(t) + weight (s) + 2 

8. weight(dA) = l+max^gx 1 , weight (jpf), where ipf is obtained from d /(b)4-<r 
replacing every occurrence of f(B) by A. B denotes a vector of parameters 
of the same sort as the domain of f (the value of weight does not depend on 
the names of the parameter, thus they can be chosen arbitrarily). 

Definition 12. 

mes(S) = ({weight (<p) | <f> G S'}, separable(S), diseq(S), unsolved(S)) 
where: 

— S' denotes the set of formulas in S that are not of the form A ~ B or A B, 
with A,B eV. 

— separable(S) denotes the number of pairs of parameters (A, B) occurring in 
S such that neither A ~ B nor A B is contained in S . 

— diseq(S) denotes the number of formulas in S on which ^-DECOMPOSITION 
applies. 

— unsolved(S) is the number of unsolved parameters in S. 

The measure mes is ordered by the lexicographic and multiset extensions of the 
usual ordering on natural numbers. 

The next lemma shows that all the expansion rules, except iV-ExPLOSiON, 
strictly decrease mes (possibly after some applications of the decomposition 
rules): 

Lemma 9. Let T be a proof tree. If a is a node obtained from a node fJ by 
applying an expansion rule distinct from iV-ExPLOSION, then there exists a node 
a' such that a a' and mes(T(a')) < mes(T(j3)). 

Proof. We distinguish several cases. 

— Decomposition Rules. The rules V-Decomposition, A-DECOMPOSITION, 
Closure, N- Closure and ~- Closure remove (at least) one logical symbol 
from S, thus weight decreases strictly. 



— Unfolding Rule. The rule replaces a formula cIa by a formula ip obtained from 
^/(Bi,...,b„)4-sh by replacing f(Bi, . . . , B n ) by A. By definition of weight, we 
have weighted a) > weight (ip), thus mes decreases strictly. 

— Equality Rules. 

• ^-Decomposition. The rule temporality increases weight, since a (com- 
plex) formula ip = A(f(A\, . . . , A n ) ~ g(B±, . . . , B m )) is added in 
5*. However, due to the control, the decomposition rules must be im- 
mediately applied on this formula. By definition, A(f(A\, . . . ,A n ) ~ 
g{B\, . . . ,B m )) only contains the symbols V, A, ~ and parameters in 
A\, ... , A n , B\, . . . , B m , thus it must be reduced by decomposition into 
equations between parameters. Thus weight cannot increase. Further- 
more, since an equation A ~ g{B\, . . . , B m ) is deleted, weight must de- 
crease. 

• ^-Decomposition. The rule temporality increases weight, since a (com- 
plex) formula ip is added in S. However, due to the control, the decompo- 
sition rules must be immediately applied on this formula. By definition, 
A(f(Ai, . . . , A n ) ~ g(Bi, . . . , B m )) only contains the symbols V, A, ~ 
and parameters in A\, . . . , A n , B±, ... , B m . Thus NNF(^ip), being the 
nnf of ->A(f(Ai, . . . , A n ) ~ g(B\, . . . , B m )), must be reduced by decom- 
position into disequations between parameters. Thus weight cannot in- 
crease. Obviously, separable does not increase either and diseq decreases, 
by definition. 

• Separation. It is clear that the rule does not increase weight (since only 
equations or disequations between parameters are added) and decreases 
separable. 

• Replacement. The rule does not increase weight, separable and diseq 
and decreases unsolved. 

— Depth Rules. 

• Strictness: A formula depth(A) ^ N is replaced by depth(A) ~ N V 
depth(A) -< N. After decomposition, this last formula is reduced to either 
depth(A) ~ N or depth(A) -< N. We have weight (depth( A) ~ N) = 
weight (depth(A) -< N) = 3 and weight (depth(A) ^ N) = 4. Thus weight 
decreases. 

• ^-Separation: Since the rule only adds a disequation between parame- 
ters, weight does not increase. Moreover, separable decreases, due to the 
control. 

• ^-Decomposition: A formula depth(A) -< succ(A) is replaced by 
depth(A) < N. We have weight (depth(A) -< succ(A)) = 6 + a and 
weight (depth(A) ^ N) = 5. Thus weight decreases. 

— EXPLOSION. After decomposition, a formula of the form depth(B) ~ succ(i) 
is replaced by formulae of the form B ~ ij or depth(A) ~ t or depth(A) -< t. 
We have w eight {depth{B) ~ succ(i)) = 4 + a + weight{t) and weight(B ~ 
fj) = 2 + weight(ti) < 3 + a, weight (depth(A) ~ t) = 2 + weight{t), 
weight (depth( A) ^ t) = 3 + weight (t). Thus weight decreases. 

A Zayer formula is a set of formulas that is irreducible w.r.t. all expansion 
rules, except A-Explosion. 



We now prove that □ is a well quasi-order for layer formulae. We need to 
introduce some additional definitions. A sequence of sets of formulae (^j)ie[o.n| 
(with heNU {oo}) is ^-bad iff there are no indices i, j G [0, n[ such that i < j 
and <Pj □ <Pi. A layer formula <P is built on a set of base formulae r iff all the 
non equational formulae in <P are of the form (f>[A/x\, where </> e r U {depth(x) -< 
iV, depth(x) ~ A^} (x is a variable and A a parameter). 

Proposition 7. Lei T be a proof tree for a formula <fi. There exists a finite set 
of base formulas P such that for every layer a, NonEq(7"(a)) is built on T . 

Proof. Let a be a layer in T. By Lemma[31 all the formulae containing depth must 
be of the form depth(A) <N where < £ {— , -<}. By Lemma[51 the remaining for- 
mulae must be base formulae. The only rules that can add new base formulae into 
the proof tree (up to a renaming of parameters) are Start and Unfolding. The 
former only adds base formulae occurring in <fi. The formulae introduced by the 
latter rule are of obtained from formulae occurring in £R by instantiating variables 
by constant symbols and replacing a term f(A) by a parameter. By definition 
there are only finitely many such formulae (up to a renaming of parameters). 

Lemma 10. Let be an infinite sequence of layer formulae built on a 

given finite set of base formulas T . The sequence (NonEq(^,;)),; e N is □ -good. 

Proof. Let «^ = NonEq(^). By Lemma [51 contains only base formulae, for- 
mulae of the form dA or depth(A) < N and disequations between parameters. 

For every parameter A, we denote by ^\a the set of base formulae ip € 
T U { depth(x) -< N, depth{x) ~ N} containing a variable x and such that 
ip[A/x] G We write A B iff = The relation is obvi- 

ously an equivalence relation. For every A C r U {depth(x) -< 2V, depth(x) ~ AT}, 
we denote by 'P(vl, <?i) the set of parameters A such that ^\a = A. 

For any sequence & = (#i)te.r of sets of formulae, we denote by Q(<?') the set 
{&i\ A \AeV,ieI}. Note that Q(^) C 2 riJ ^ de P th ( x ^ N \de P th(x)~N} _ 

Assume that ^ = (l^)ieN is 3-bad. Without loss of generality, we assume 
that Q(>f r ) is minimal, i.e. if <?"' is a sequence of base formulae built on r such 
that Q{W) C Q(^), then <F' is □-good. 

If Q^) = then necessarily, the SVs (i £ I) contain only sets of formulae 
in r and disequation between parameters. Since r is finite, the number of sets 
of formulae in T is also finite. Since 3^ is infinite, there exists some subsequence 

= &- eN of if - such that for every i, j e N, $f[ and 3^ only differ by disequations. 
Let i E / be the index in N such that the number of parameters in is minimal. 
We show that 3 By definition the number of parameters occurring in 
is greater or equal to that of W[. Thus there exists an injective function 
p from the set of parameters in tf^- onto the set of parameters in <^' +1 . Then, 
if A B is a formula in W[, there must exist two distinct parameters, A',B' 
such that p(A) = A 1 and p{B) = B', and A' , £>' occurs in <J^' +1 . Furthermore, by 
Lemma A' ^ B' occurs in Thus p(tf'-) C S^ +1 , whence □ gtf. This 

means that (hence also is Zl-good, which contradicts our hypothesis. 



Thus we must have Q(tf') 7^ 0. Let A be a parameter occurring in 3'o and let 
A ~ &o\a- Let k e [0, ^(Tl,^)!]- Consider the set of indices {ij j e N} such 
that 4*^)1 = Let = &j eI , be the sequence such that 3^ is obtained 

from by removing each formulae containing a parameter A G "P(^l, 3^). By 
definition of W, we have Q(W) C Q(>f r ) (since Q(W) cannot contain A). 

Assume that is infinite. By minimality of must be Zl-good. Con- 

sequently, there exist two indices j < j' such that 3**j, □ 3^', i.e. there exists a 
renaming p such that (0(3^) C 3^,. By definition of 3*^, we have ^(vl, 3^ )| = 
jP^tf'j.,)! = fc. Let p' be any bijective renaming from P(A,^r ij ) to T 7 ^, iv,). 
By definition of p' and p must have disjoint domains. Let p" = pUp' . It is easy 
to check that we have p"{^ r i j ) C 3^ ., , hence 3^ ., □ 3^. , which is impossible. Thus 
\P' is finite. Since this is true for every k < \V(A, 3>b) |, this implies that there ex- 
ists some index j such that for every i > j, we have "P(^l, 3^)| > IT 5 (.A, But 
then, since the same reasoning holds for every A, there must exist some j £ I 
such that for every i > j and for every A <Z T U {depth(x) ~ A, depth(x) ^ A}: 
^(.A, 3^)| > \V(A, 3o) (it suffice to take the maximal value of all the j's cor- 
responding to each A, which is possible since the number of distinct set A is 
finite). 

We have in particular: V.A C ru{depth(x) ~ AT, depth(x) < A}, \V(A,^ t )\ > 
\V(A,%)\. 

Thus there exists an injective renaming pa from ^(A, 3*b) to V(A,<Pi). 
By definition, if A 7^ A', then p/i and p^/ have disjoint domains. Let p = 
^Acru{de P th(x)cN.de P th( x )^N} PA- It is clear that p(3> ) C 3',. Thus 3> is □-good. 

Main proof 

Assume that there exists an infinite proof tree T. T must have at least one infinite 
branch (a^g^- If there exist i,j £ N such that i < j and T{otj) □ T{on) then 
Loop applies on j, which is impossible. Thus, by Lemma I10| the subsequence 
of layer formulas in T{on)i^ is finite, and there exists i <E N such that for every 
j > i, OLj is not a layer formula. In this case, A-Explosion cannot be applied 
on (X,-, hence by Lemma^ we have mes(7"( %•+;)) < mes(7~(aj)), for some / > 0. 
Since mes is well-founded, we get a contradiction. 



